Filtering allows control of the log messages sent to each log device (262061)

This includes disk log, memory log, FortiAnalyzer and syslog servers and allows inclusion/exclusion based on type, severity, and log ID.

Use the following CLI command:

config log <device> filter

set filter <new-filter-settings>

set filter-type <include | exclude>

end

Log messages in plain text LZ4 compressed format (271477 264704)

Log messages are stored on disk and transmitted to FortiAnalyzer as plain text in LZ4 compressed format. This change improves performance and reduces disk log size and reduces log transmission time and bandwidth usage.

Action and Security Action fields are improved (282691)

Action and Security Action fields in logs more clearly distinguishing between different uses of Action. Examples include traffic blocking by policy versus traffic blocking by security profile, or different result messages of Actions such as initiating session.

Log disk is full Event logs are deleted last (251467)

This feature should improve troubleshooting and diagnostics.

Send log messages to up to four syslog servers (279637)

You can use the CLI command config log {syslogd | syslogd2 | syslogd3 | syslogd4} to configure up to four remote syslog servers.

Examples include sending OSPF routing events or changes to a syslog server or FortiAnalyzer or changes in neighborhood status.

The syntax in the CLI for enabling the feature on BGP, OSPF and OSPF for IPv6 is as follows:

config router bgp

set log-neighbour-changes [enable | disable]

end

config router ospf

set log-neighbour-changes [enable | disable]

end

config router ospf6

set log-neighbour-changes [enable | disable]

end

Improve dynamic routing event logging (231511)

Major dynamic routing events such as neighbor down/up for BGP and OSPF are logged, without having to evoke debugging commands.

Adding option for VDOM logs through management VDOM (232284)

FortiOS supports the definition of per VDOM FortiAnalyzers. However it is required that each VDOM logs independently to its FortiAnalyzer server.

A new option, use-management-vdom, has been added to the CLI.

config vdom

edit xxx

config log fortianalyzer override-setting

set use-management-vdom enable/disable

end

end

If this option is enabled, source-ip will become hidden and when FortiGate sends logs to FortiAnalyzer, it uses management vdom ip setting as source ip. Also if IPsec is enabled, the tunnel is created in management vdom and source ip belongs to management vdom.

The Log Settings GUI page (Log & Report > Log Settings) displays information about current log storage including the amount of space available on the selected storage location and so on.

Log backup and restore tools (265285)

Local disk logs can now be backed up and restored, using new CLI commands.

exec log backup <filename>

exec log restore <filename>

Restoring logs will wipe the current log and report content off the disk.

IPS logging optimization (254954)

The handling of IPS logs has been improved. No changes needed, just increased performance on the backend.

Export log messages to USB drive (258913 267501)

Logs can now be exported to a USB storage device, as Lz4 compressed files, from both CLI and GUI.

When you insert a USB drive into the FortiGate's USB port the USB menu appears on the GUI. The menu shows the amount of storage on the USB disk and the log file size and includes a Copy to USB option that you can use to copy the log file to the USB drive.

From the CLI you can use the following command to export all log messages stored in the FortiGate log disk to a USB drive:

execute backup disk alllogs usb

You can also use the following command to backup just traffic logs to a USB drive:

execute backup disk log usb traffic

Disable performance status logging by default (253700)

Performance statistic logging is now disabled by default. It can be re-enabled in CLI, to occur every 1-15 minutes (enter 0 to disable):